Restrict user roles access to certain Sites

[robinboening]

I'd like to propose adding a feature that allows restricting specific user roles from accessing certain Sites.

I believe this could also be a valuable addition to Alchemy core, so I’m opening this issue to discuss whether the following approach makes sense.

My available time for this is somewhat limited, so my goal is to implement a simple, minimal version first. Not the fully fleshed-out solution that could come later with more time and exploration.

Proposed Scope

• Use CanCan to handle Site switching for the author role (maintaining backward compatibility).
• Add an allowlist for roles to Alchemy::Site via site_layouts.yml (defaulting to all roles being allowed for backward compatibility).
• At the lowest level possible, ensure Current.site can only be set to an allowed Site.
• Use CanCan to restrict the site selector options to only show allowed Sites.

That's the general idea. Hopefully straightforward, without too many hidden rabbit holes.

What do you think about this approach?

[tvdeyen]

I like the overall idea. One thing to keep in mind is that pictures and tags are not restricted to sites. This does not necessarily be a problem, but maybe surprising behavior. We can tackle this later, though. For the implementation I think a users- sites join table makes more sense than the site layouts file to me. But maybe I am missing something. If you use user roles, what will it look like? Are you imagining a site-a-admin and a site-b-admin role? So, more like a user group instead of individual users, I guess? This might work as well and depends on the business needs. In the end we will most likely need to support both approaches. We can start with the simpler one and then iterate.

[robinboening]

One thing to keep in mind is that pictures and tags are not restricted to sites. This does not necessarily be a problem, but maybe surprising behavior. We can tackle this later, though.

Yeah, I also think that's okay.

For the implementation I think a users- sites join table makes more sense than the site layouts file to me. But maybe I am missing something.

I considered this option initially, but it requires admins to assign users and maintain the list (additional work and complexity on the admin users). It would also make sense to allow bulk assignment / removal by role, as well as for single users. I think the current resource table might not be able to serve for that and the UX won't be good enough. I see value in a solution like this, but I think it could be the next step of what I was thinking.

I'd like to start off with user role assignment in yml because it's very simple and requires zero maintenance from admin users and is very simple for developers.

Are you imagining a site-a-admin and a site-b-admin role? So, more like a user group instead of individual users, I guess?

For now, I'd keep the current behaviour (every cms user is allowed to switch sites and edit content of every site). In order to restrict access to certain sites the developer simply adds a new Role and assigns it in the yml. Like this:

# site_layouts.yml

- name: events
  page_layouts: [standard, event]
  accessible_by:
    - event_editor
    - admin

This can easily be elevated to a more elaborate solution (e.g. user assignment in the db) with a simple upgrade path.

Last night I did a quick implementation of what I have in mind. It achieves to only list accessible Sites in the selectbox and provokes AccessDenied redirects to the dashboard when trying to switch to restricted Sites or when trying to edit a page of a restricted Site.

I'll open a PR so you could try it and we can discuss on some actual code.